1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001...
14
1 7 th CACR Information Workshop Vulnerabilities of Multi-Application Systems April 25, 2001 MAXIMUS
-
Upload
eugenia-preston -
Category
Documents
-
view
214 -
download
0
Transcript of 1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001...
1
7th CACR Information Workshop
Vulnerabilities of Multi-Application Systems
April 25, 2001
MAXIMUS
2
Satisfies requirement for updateable information on a portable medium.
Portable hardware token for PKI Reduces proliferation of single use, non-standard cards.
Eliminates redundant data entry.
SMITH JOHN JAMES
MARC
Smart Card Concept
3
Why a Multiple Application Smart Card Replace Currently Issued Single Use
Cards Driver’s License, Loyalty Cards, I.D. Card,
Financial Card Eliminate/Reduce Redundant Data Entry
Ensure Accurate Data Entry Updateable/Portable Data Carrier
Write Once - Read Many Card and Infrastructure Costs Can be
Shared Across Participating Businesses
4
Why a Multiple Application Smart Card, Continued Security
Network - Log On, PKI Physical - Access Control
Stored Value Eliminate Handling, Collection, Counting of
Cash Guaranteed Form of Payment Completely Auditable Reduce Opportunity for Theft
5
People Issues…Privacy/Security ConcernsOperational EffectivenessUser SatisfactionTraining
Management Issues…...RequirementsManaging Data Across Multiple ApplicationsRisk Factors
Technical Issues…DurabilityAvailabilityMaintainability
Issues
6
The key to e-government solutions is authentication
Organizations providing private information over the net need assurance that the person or entity viewing and using that information is the person or entity they claim to be and that they are authorized to do so.
7
Representative Data Model
CO
NN
EC
TIV
ITY
GE
NE
RA
L M
ILIT
AR
Y
FIN
AN
CE
LE
GA
L
ME
DIC
AL
IMM
UN
IZA
TIO
N
DE
NT
AL
OP
TO
ME
TR
Y
GE
NE
RA
L T
RA
ININ
G
CR
ED
EN
TIA
LS
SE
CU
RIT
Y
BIO
ME
TR
ICS
PH
YS
ICA
L T
RA
ININ
G
LO
YA
LT
Y
ST
OR
ED
VA
LU
E
TR
AV
EL
SU
PP
OR
T
AC
CE
SS
CO
NT
RO
L
DE
MO
GR
AP
HIC
S
Data Sets to Support Range of Applications
Broad Range & Depth
Medium Range & Depth
Limited Range & Depth
8
ISO 7816 CardsJAVA CardsEMV CardsMultos CardsWFSC CardsProton Cards…
Ser
ial R
eade
rs Parallel R
eaders
PC Card Readers
On Board Readers32-bit Windows
PC/SC
POS
JAV
A
DO
S
Card Data Management and Version Control
Multiple Data Management and Version Control Systems
Applications
Communications Protocol Manager
UNIX
CE
WFSC
Specialty A
pplicationA
pplications on Card
Multos
Specialty
OS
TC
P/I
P
SMART CARD MULTI-APPLICATION VIEW
Smart Card Chips
9
Critical Paths
Requirements Decision Documentation CustomerAcceptance
Funding Decision Documentation Provided
Card Platform Decision Delivery Issuance
Software Development Delivery Acceptance
Hardware Decision Delivery Installation
Business Case AS-IS TO-BE BusinessCaseAnalysis
10
Vulnerabilities Additive
Functional data bases Functional IT infrastructure Card reader devices Users security
PIN Card possession Integrity
Large user population increases threat
11
Multi-application Maturity
Information and
Referral
Information and
Referral
e-businessTransactions
e-businessTransactions
e-businessTransformation
e-businessTransformation
CustomerHomePage
CustomerHomePage
Characteristics•Static Web Page•Presentation of Services•Basic Information•Links to Other Sites•No Impact on Operations
Characteristics•Dynamic Information•Resource Directory•Search Engine•e-Mail•Documents Available for Download•Minor Impact on Operations
Characteristics•On-line Transaction Processing•Web Enabled Applications•Limited Interface to
Legacy Systems•Security and Authentication•Limited Personalization•Electronic Payment•Major Impact on Operations
Characteristics•Internet is Primary Means of
Informational Exchange•Reengineered Business
Processes•Optimized Organizational
Model•Full Integration with
Legacy Systems•Extensive Personalization•Supply Chain Optimization•Advanced Security
and Authentication
Stage 1
Stage 2
Stage 3
Stage 4
12
A Day in the Life of a user
Access Control Reduce Paperwork
Medical Public Key Infrastructure
Replaces Paper-based RecordsVerifies QualificationsMonitors/Tracks PersonnelAutomates ReportingPhysical AccessLogical Access
Verifies IdentificationProtects Personal InformationIncreases Readiness for MobilizationSafeguards Benefits
Verifies IdentityAutomates TransactionsEliminates RedundancyQuality of LifeEasy win for PoliciesEliminates input error
Verifies IdentificationKey ManagementSecure CommunicationsAutomates Transactions
13
A Day in the Life Cont’dE-Commerce
Interoperability
Entitlements Web Enabling
Meets Agency Business RulesFits into existing infrastructureNot a stand alone“system” Automation EnablerIncreases customer satisfaction
Automation of ProcessesMinimizes Dual EntriesLeverages InfrastructureMinimizes TrainingReduces technical issues
Reduces Money HandlingIdentifies EntitlementsAutomates Headcount
Paperless ReportsVerifies QualificationsVirtual Office SupportInformation Visibility
14
Questions?Questions?
